Scribd
Upload
438 views2 pages

Mobile Application Security Review Checklist

The document provides a checklist for mobile application security reviews. It lists various platform-specific checks across categories like data protection, session management, privacy, reverse engineering, network connections, and logging. The checklist examines files, data storage, permissions, encryption, and APIs for potential security issues.

Uploaded by

budi.hw748
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
438 views2 pages

Mobile Application Security Review Checklist

The document provides a checklist for mobile application security reviews. It lists various platform-specific checks across categories like data protection, session management, privacy, reverse engineering, network connections, and logging. The checklist examines files, data storage, permissions, encryption, and APIs for potential security issues.

Uploaded by

budi.hw748
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Mobile Application Security Review -

Checklist
Platform Check Description Status
Data Protection
All Local storage Look for files and directories under the
application directory to check for any
sensitive information
Look at the plist file to check for any
iOS plist files sensitive information
All Check Keyboard cache Monitor keyboard cache file
iOS Browse application, press home button
Check snapshots before checking this
All Check ClipBoard Verify clipboard file for any changes
All Check SQLite Database file Look for SQL files (Usual extensions are
either .sqlite or .db or .sqlitedb)
All Log Files Check crash reports, application log files
and device log files to check for sensitive
information stored in log files
All SQL Injection against local DB Check database log files to see types of
file queries used in the application.
Android Check “debuggable” flag in Check debuggable flag is true/false
manifest file
Session Management
iOS Cookie.binarycookies file Extract cookies from
cookies.binarycookies file to verify what
application is storing in cookie
iOS Extract data from keychain file Use keychain dumper to extract keys from
the keychain to verify what application is
stored in keychain file
Privacy
iOS Does application run in the Check info.plist for "application does not
background run in background flag"
iOS Information in PUSH calls Check what information is sent in Push
calls
iOS Does application gather Check whether the application gathers
personal information UDID or location tracking
Android Does application gather Look for usage of “Build” class in the
personal information application
iOS Check for third party call Look for a pattern in the binary to see if
an application is making any third party
calls
All Remembering information in Check sensitive fields to check whether

© eSphere Security Solutions Pvt. Ltd.


sensitive fields autocompletion and remember values
options are enabled/disabled
Reverse engineering
iOS Is binary encrypted Use otool to check whether files are
encrypted
iOS Run binary in gdb to check for Run binary in debugger to check any
sensitive calls unsafe API calls
Android Decompile binary Decompile binary and look for any unsafe
API calls
Network Connection
All Check network connection from Check what type of connections is made
the application from the application
All Check SSL handling Check how the application is handling SSL
certificate
Client Side web exploitation
All WebView control Check whether the application uses
webView control
Logging
All Check what information
applications logs

© eSphere Security Solutions Pvt. Ltd.

You might also like